[sword-devel] Doctrinal Statement

Michael Paul Johnson sword-devel@crosswire.org
Sat, 29 Jul 2000 07:48:39 -0600

At 11:38 PM 7/28/00 -0700, Jerry Hastings wrote:
>At 05:48 PM 7/28/2000 -0700, Chris Little wrote:
>>I think some kind of signing system is needed, possibly built into the
>>module format itself.  It may be time to update the sword module format to
>>include some new features.  Perhaps all modules should be encrypted such
>>that they are only properly readable if they are unaltered, something like
>>using their own checksum as an encryption key.
>Yes. Something like that should be done. It should include some kind of revision info also, so one can tell if one has a copy that is behind in corrections/revisions. All of this kind of stuff should be in the module data, not in a separate file. One should not be able to remove this info without destroying the module. Also, a list of revisions for all known Sword modules should be shipped with Sword, so the install program can check previously installed modules to see if a better version exists. Unknown modules could still be used they just wouldn't produce any message about updates.
>But, all of this is open source. Can't anyone take a text edit it and build a module that will have valid security features at the local level? This why I think some optional remote security data is also good. Not required to run, but there for those that want to do a check.

I recommend just using external PGP signatures to validate modules. Anyone can sign a module, but not everyone can sign a module with my signature or Troy's signature. Besides, open source authentication software works, too, as long as you are careful where you get it. PGP is open source.


Michael Paul Johnson                   
mpj@eBible.org    http://ebible.org/mpj